[New-bugs-announce] [issue11197] information leakage with SimpleHTTPServer

Brett Cannon report at bugs.python.org
Fri Feb 11 19:46:11 CET 2011

New submission from Brett Cannon <brett at python.org>:

As reported to the PSRT:

Python's SimpleHTTPServer class is a simple HTTP server, documented as
serving up the content of the pwd and below readonly via GET and HEAD

 $ python -m SimpleHTTPServer
 Serving HTTP on port 8000 ...

However, by inserting "../" path fragments within the path section of
the URL, it's possible to traverse other directories within the

For example:

 lynx localhost:8000/../../../../..

shows 5 directories above in the directory structure.

I was also able to browse /proc and /sys on this example using:

 lynx localhost:8000/../../../../../../../../proc
 lynx localhost:8000/../../../../../../../../sys

(by browsing to find the correct number of ".." entries to locate the
root directory); arguable this could be leaking much more information
about the host than the administrator might be expecting (e.g. other
programs being executed on the host, command-line arguments of those
programs etc)

This has been fixed in CGIHTTPServer; see

Guido recommended to not make this secret since no one should be using SimpleHTTPServer in production. He also said this should get fixed.

components: Library (Lib)
messages: 128420
nosy: barry, benjamin.peterson, brett.cannon, dmalcolm, georg.brandl, gps
priority: release blocker
severity: normal
stage: needs patch
status: open
title: information leakage with SimpleHTTPServer
type: security
versions: Python 2.5, Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list